proxy2 :) Greg > Well, something was obviously wrong.. without logs, details, etc, we won't > be able to help. But, a rule is a rule. If the rule is properly created > and applied, then it will work. > > > > If you are worried about "relying" on a rule or not, or how to basically > bypass ISA functionality, then uninstall ISA, download squid, and be done > with it... > > > > t > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Zoran Marjanovic > Sent: Monday, February 25, 2008 5:03 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed > > > > Hi T, > > > > Thanks for the info. I read the script and its description and figured out > that it prevents stopping the firewall service in case of logging failure > and that ISA enters LD when its firewall service is stopped. I have not > tried it yet. > > > > When you create 2 identical (and very simple - web publishing) rules in 20 > minutes using ISA's rule wizard, and the first time it fails and the > second time it works, then I would not say it was me. This happened to me > (and other people I know) many times during several years on both ISA 2004 > and 2006 on completely different systems. I did not ask you to explain (or > whatever) this, I just said that I would not rely on the "allow all" rule > if I do not have to. > > Zoran > > ----- Original Message ---- > From: Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx> > To: isapros@xxxxxxxxxxxxx > Sent: Tuesday, 26 February, 2008 11:45:16 AM > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed > > The script I linked to actually does disable lockdown mode itself -- I've > used it many times before. But, as I said, it also works to disable the > alerts that cause lockdown. Dr. Shinder actually pointed this out to me > to help with a logging issue I had that was causing lockdown. > > > > I really didn't want to completely disable LD mode, but at the time didn't > know I could just disable alerts individually. But, as stated, the script > does disable LD. > > > > If you want caching, the firewall service has to be running. I'm not sure > what problems you had with rules working, but it had to be something you > (or whoever) were not doing properly. Rules don't "work one time and not > the other." > > > > But, the allow all from all will 'work' so I'm not sure what else to tell > you... > > t > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Zoran Marjanovic > Sent: Monday, February 25, 2008 4:37 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed > > > > Hi T, > > > > Thanks for your help. I saw the script and found out that it does not > disable the lockdown mode itself. > > > > ' Get a reference to the "Log failure" alert object, > ' and modify it so that it will not stop the Firewall service. > ' Ensure that the DropConnectionOnLogError property > ' is set to False. > > > > "By default, the built-in Log failure alert shuts down the Firewall > service. This alert is triggered by the Log failure event, which is raised > when a logging failure occurs. You can prevent logging failures from > causing ISA Server to go into lockdown by disabling the action of the Log > failure alert that shuts down the Firewall service." > > I wanted to stop the firewall service manually (and disable it). I spent > several hours on the Internet and did not find anything that could help or > even explain what can be done. > > I am not sure that the "allow all" rule really takes care of it. I > experienced faulty rules on both ISA 2004 and 2006, you know, you crate it > and it does not work. Then you delete it and recreate the identical one, > and then it works. I experienced a similar problem on Vista's firewall > while setting RDP communication. That is why I wanted to turn firewalling > off completely. > > I am not responsible for this system, but I know that it's a multi-site > system with 1 Internet connection. They run ISA 2004 (array) firewall on > the exit point. The ISA in question is located in a branch office which is > connected to the main office. > > The guys who manage this school asked my boss to borrow me in order to > help them with the specific problem. They did not want (unfortunately) to > discuss about what/how/why they did so far. It looks like they have very > limited resources. > > > > That's pretty much it. > > > > Thanks. > > > > Zoran > > ----- Original Message ---- > From: Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx> > To: isapros@xxxxxxxxxxxxx > Sent: Tuesday, 26 February, 2008 1:27:38 AM > Subject: [isapros] Re: ISA 2004 issue - cache only/single homed > > The guy hasn't even logged on to the box yet... Let's not beat on him out > of the gate, shall we? > > Zoran, though your configuration is not supported, and indeed doesn't > provide any firewall features, it looks like they don't want it to > anyway... > > Yes, you can disable lockdown mode entirely on 2004: > http://www.microsoft.com/technet/isa/2004/plan/disablelockdownonlogfailure.mspx > > You can also disable the events that cause lockdown mode if you would like > in Alerts. In order to cache, the firewall service would need to be > running, but it looks like the "allow all" rule is already taking care of > that. > > I take it this box is not connected to the internet, and that you've got > some NAT device as the "router," right? If you now in charge of this > environment, then at least give them the protection they have paid for and > move the DC to the SMS box and stick the ISA box at the border. Putting > the DC on the ISA box is always a bad idea and breaks the security model, > no matter what the circumstances -- now, in your case, you really don't > have an "ISA" box, but rather, just a box inside the network that you > wanted to turn into a caching proxy. > > As you can tell, not only is the configuration not supported, but when we > see people talking about this type of hork, it gets under our craw a bit > as it illustrates that someone is purposefully going out of their way to > build the worst possible configuration for the product. > > hth. > > t > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- >> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >> Sent: Monday, February 25, 2008 6:07 AM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA 2004 issue - cache only/single homed >> >> (there is a rule "allow all") - <WHIMPER> >> ISA has ceased to protect the server where it resides. >> This is the example your school creates for its students?!? >> >> Point your school network admins to this link: >> http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- >> bounce@xxxxxxxxxxxxx] On Behalf Of Zoran Marjanovic >> Sent: Sunday, February 24, 2008 8:35 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: ISA 2004 issue - cache only/single homed >> >> Thanks Thomas. >> >> It's a school and they insisted on it. Interestingly, DC works fine and >> clients have no problems at all (there is a rule "allow all", I was >> told). >> The problem their admin experienced was related to accessing a share >> hosted on this ISA box by their MS SMS (another box). >> I have not logged on the server yet so I am not sure what errors they >> got and how it really looks. My first thought was to simply shut >> firewalling down, since they do not need it. I will probably check it >> today and will let you know if I figure out what was the issue. >> >> Cheers, >> >> Zoran >> >> >> ----- Original Message ---- >> From: Thomas W Shinder <tshinder@xxxxxxxxxxx> >> To: isapros@xxxxxxxxxxxxx >> Sent: Monday, 25 February, 2008 2:43:17 PM >> Subject: [isapros] Re: ISA 2004 issue - cache only/single homed >> >> >> >> The ISA firewall is NOT supported on a DC, so it’s a moot question. >> >> >> >> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- >> bounce@xxxxxxxxxxxxx] On Behalf Of Zoran Marjanovic >> Sent: Sunday, February 24, 2008 8:33 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] ISA 2004 issue - cache only/single homed >> >> >> >> Hi guys, >> >> >> >> It is a "multi-practic" server :), Win 2003 SP1, DC, ISA, file >> server... huh, with only 1 NIC. >> >> >> >> Could you please confirm that Lockdown mode in ISA 2004 cannot be >> disabled? (I think I saw it somewhere but cannot find it now) >> >> Also, is it possible to install ISA without its firewall service >> because all I need is caching? >> >> >> >> Thanks a bunch! >> >> >> >> Zoran >> >> >> >> >> >> >> >> ________________________________ >> >> Get the name you always wanted with the new y7mail email address >> <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yahoo >> .com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> . >> >> >> >> ________________________________ >> >> Get the name you always wanted with the new y7mail email address >> <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http://au.yaho >> <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yaho> >> o.com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> . > > > > > > ________________________________ > > Get the name you always wanted with the new y7mail email address > <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yahoo.com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> > . > > > > > > ________________________________ > > Get the name you always wanted with the new y7mail email address > <http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yahoo.com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> > . > >